Reputation: 51
Issues with Google cloud platform load balancer client origin ip / geo location
I've got an issue with my GCE Http(s) load balancer. Where it's not detecting the correct X-Client-Geo-Region etc.
Because we need to serve, currently 3000 (Increasing everyday) custom domains with ssls, I couldn't find another way to build this infrastructure without having custom ssl termination. And I wanted to use cloud armor to remove another thing to maintain, else I'd have installed ModSecurity on the nginx proxy.
EntrypointA not working only showing US region.
EntrypointB working as expected, detecting the correct Region (GB). Ofc this bypasses SSL.
EntrypointB
|
V
EntrypointA -> SSL Termination Service -> GCE Loadbalancer -> GCE Instance (Http server)
(Nginx proxy) ^
|
Cloud Armor
So far I've tried setting every header I could find in the proxy, but either the load balancer doesn't look at headers or it's one I'm not aware of.
Headers I've tried
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-User-IP $remote_addr;
proxy_set_header X-ProxyUser-Ip $remote_addr;
proxy_set_header True-Client-IP $remote_addr;
When I check the headers on the server they all look correct (Excluding the geo ones ofc). Forwarded-For is correct and X-Real-IP is.
Upvotes: 1
Views: 1498
Answers (2)
Reputation: 4245
For that to work, Nginx needs to be forwarding all necessary headers to the GCE load balancer. To forward them correctly, this code might help
server
{
listen 443 ssl;
server_name yourdomain.com;
ssl_certificate /path/to/your/certificate.crt;
ssl_certificate_key /path/to/your/private.key;
location /
{
proxy_pass http://your_backend_server;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
In addition, Nginx needs to enable the GeoIP module and have it configured to provide geo information. You need to install the GeoIP module if it is not already installed and then configure it to set the X-Client-Geo-Region header. Basically, that's done in this block of code (which I haven't tested, to be honest...):
http
{
geoip_country /usr/share/GeoIP/GeoIP.dat;
geoip_city /usr/share/GeoIP/GeoIPCity.dat;
map $geoip_country_code $client_geo_region
{
default "";
US "US";
GB "GB";
# Add other country codes as necessary
}
server
{
listen 443 ssl;
server_name yourdomain.com;
ssl_certificate /path/to/your/certificate.crt;
ssl_certificate_key /path/to/your/private.key;
location /
{
proxy_pass http://your_backend_server;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Client-Geo-Region $client_geo_region;
}
}
}
Note: a tool like curl can be useful for testing here.
Upvotes: 1
Reputation: 21
Per doc GCP HTTP(S) LB the TLS is ended in different locations that are over the world to minimize latency. So the best to product to have Geographic control is Network load balancers in order to terminate TLS on the backend instances.
Maybe that approach will not fit your needs so you may want to explore Cloudflare instead.
Upvotes: 0
Related Questions
- Google Cloud HTTP Load Balancer Health Check Fails Without An External IP
- "Create IP Address" not found during creation of load balancer for static website
- GCP load balancer does not redirect it's own ip to domain
- Load balancer giving failed_to_pick_backend with internet network endpoint group
- Getting Orgin IP From Load Balancer
- Create a Load Balancer with the pre-created static IP address on Google Cloud
- Error with internal LB for same ip address
- Problem creating regional TCP load balancer
- Google Cloud TCP Load Balancer forward ip
- Google Cloud Platform Load Balancer and CORS